CVE-2023-27974 Information

Description

DISPUTED Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches e.g. a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor’s position is that \Auto-fill on page load\ is not enabled by default.

Reference

https://news.ycombinator.com/item?id=35075861 https://flashpoint.io/blog/bitwarden-password-pilfering/ https://github.com/bitwarden/clients/releases